{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25139", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-29T14:03:42.540Z", "datePublished": "2026-02-04T17:47:00.378Z", "dateUpdated": "2026-02-04T19:29:55.053Z"}, "containers": {"cna": {"title": "RIOT Vulnerable to Multiple Out-of-Bounds Read When Processing Received 6LoWPAN SFR Fragments", "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "lang": "en", "description": "CWE-125: Out-of-bounds Read", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-c8fh-23qr-97mc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-c8fh-23qr-97mc"}], "affected": [{"vendor": "RIOT-OS", "product": "RIOT", "versions": [{"version": "<= 2025.10", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-04T17:47:00.378Z"}, "descriptions": [{"lang": "en", "value": "RIOT is an open-source microcontroller operating system, designed to match the requirements of Internet of Things (IoT) devices and other embedded devices. In version 2025.10 and prior, multiple out-of-bounds read allow any unauthenticated user, with ability to send or manipulate input packets, to read adjacent memory locations, or crash a vulnerable device running the 6LoWPAN stack. The received packet is cast into a sixlowpan_sfr_rfrag_t struct and dereferenced without validating the packet is large enough to contain the struct object. At time of publication, no known patch exists."}], "source": {"advisory": "GHSA-c8fh-23qr-97mc", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-04T19:27:05.253904Z", "id": "CVE-2026-25139", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T19:29:55.053Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25139", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-04T19:27:05.253904Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T19:29:48.547Z"}}], "cna": {"title": "RIOT Vulnerable to Multiple Out-of-Bounds Read When Processing Received 6LoWPAN SFR Fragments", "source": {"advisory": "GHSA-c8fh-23qr-97mc", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "RIOT-OS", "product": "RIOT", "versions": [{"status": "affected", "version": "<= 2025.10"}]}], "references": [{"url": "https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-c8fh-23qr-97mc", "name": "https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-c8fh-23qr-97mc", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "RIOT is an open-source microcontroller operating system, designed to match the requirements of Internet of Things (IoT) devices and other embedded devices. In version 2025.10 and prior, multiple out-of-bounds read allow any unauthenticated user, with ability to send or manipulate input packets, to read adjacent memory locations, or crash a vulnerable device running the 6LoWPAN stack. The received packet is cast into a sixlowpan_sfr_rfrag_t struct and dereferenced without validating the packet is large enough to contain the struct object. At time of publication, no known patch exists."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125: Out-of-bounds Read"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-04T17:47:00.378Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25139", "state": "PUBLISHED", "dateUpdated": "2026-02-04T19:29:55.053Z", "dateReserved": "2026-01-29T14:03:42.540Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-04T17:47:00.378Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:riot-os:riot:*:*:*:*:*:*:*:*", "matchCriteriaId": "262B78DC-ABA0-4E16-A9B1-7BA07826ADE3", "versionEndIncluding": "2025.10", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "RIOT is an open-source microcontroller operating system, designed to match the requirements of Internet of Things (IoT) devices and other embedded devices. In version 2025.10 and prior, multiple out-of-bounds read allow any unauthenticated user, with ability to send or manipulate input packets, to read adjacent memory locations, or crash a vulnerable device running the 6LoWPAN stack. The received packet is cast into a sixlowpan_sfr_rfrag_t struct and dereferenced without validating the packet is large enough to contain the struct object. At time of publication, no known patch exists."}, {"lang": "es", "value": "RIOT es un sistema operativo de microcontrolador de c\u00f3digo abierto, dise\u00f1ado para cumplir con los requisitos de los dispositivos de internet de las cosas (IoT) y otros dispositivos embebidos. En la versi\u00f3n 2025.10 y anteriores, m\u00faltiples lecturas fuera de l\u00edmites permiten a cualquier usuario no autenticado, con la capacidad de enviar o manipular paquetes de entrada, leer ubicaciones de memoria adyacentes o bloquear un dispositivo vulnerable que ejecute la pila 6LoWPAN. El paquete recibido se convierte a una estructura sixlowpan_sfr_rfrag_t y se desreferencia sin validar que el paquete sea lo suficientemente grande como para contener el objeto de la estructura. En el momento de la publicaci\u00f3n, no existe ning\u00fan parche conocido."}], "id": "CVE-2026-25139", "lastModified": "2026-02-20T17:08:42.677", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-04T18:16:09.207", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Exploit"], "url": "https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-c8fh-23qr-97mc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-17T23:22:59.841402+00:00", "value": {"mitigation_remediation": ["Upgrade to a RIOT release that contains a fix for the 6LoWPAN out\u2011of\u2011bounds read once it becomes available.", "Apply a temporary code change to the sixlowpan module that validates the packet length against the expected structure size before performing the cast, thereby preventing the out\u2011of\u2011bounds read.", "Block or filter malformed 6LoWPAN fragments at the network border, or use a firewall that rejects packets with unexpected fragment lengths until a patch is applied."], "summary": {"action": "Monitor", "impact": "Out\u2011of\u2011Bounds Read in RIOT 6LoWPAN handling"}, "threat_synthesis": {"affected_systems": "The flaw affects the RIOT open\u2011source microcontroller OS, specifically versions 2025.10 and earlier. All devices running the 6LoWPAN stack in those releases are vulnerable. At release time no patch was available from RIOT\u2011OS; users should verify the firmware version against the advisory.", "description_and_impact": "The vulnerability arises when the RIOT 6LoWPAN stack processes received Frame Fragment SFR packets without size validation. Incoming data is cast directly to a sixlowpan_sfr_rfrag_t structure, creating an out\u2011of\u2011bounds read. An unauthenticated attacker can send crafted 6LoWPAN fragments to cause the operating system to read arbitrary adjacent memory or to crash the device. The read may expose sensitive information stored in nearby memory, while a crash would result in denial of service.", "risk_and_exploitability": "The CVSS score of 8.7 indicates a high severity, and the EPSS score of less than 1% suggests a low probability of exploitation observed so far. The vulnerability is not listed in CISA\u2019s KEV catalog, but a remote attacker with network access can exploit it by sending malformed SFR fragments over 6LoWPAN. Because the code bypasses bounds checking, the attack requires only network connectivity and no authentication, giving the attacker broad potential impact."}}}}, "created": "2026-02-05T11:39:53.751868+00:00", "updated": "2026-04-17T23:30:15.912838+00:00", "vendors": ["riot-os", "riot-os$PRODUCT$riot"]}